What you want is not possible because DNS resolves to one IP, not to a NAT’ed 
IP.
Doing this differently is very hacky and totally unsupported. One host, one IP, 
one DNS record. NAT doesn’t belong in this type of networking.

If you really wanted to shoot yourself in the foot, you can use Unbound and a 
Python plugin to do record-rewriting on the fly. The IPA DNS server would 
return 10.3.2.33 for example and that would be rewritten to 172.16.2.33 if you 
desire that.
Queries would have to go to the unbound server and it forwards them to the IPA 
server. Responses are then rewritten on the fly if they contain the foreign IP 
range. This is bad in so many ways…


> On 21 Jun 2017, at 14:26, Kat via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Nothing? No suggestions?
> 
> Is it not possible to support DNS through a NAT?
> 
> -K
> 
> 
> On 6/20/17 1:32 PM, Kat wrote:
>> Here is an odd problem (I think).
>> 
>> I am using IPA in one environment, and want to set up a replica in another 
>> environment through natted connections. I can setup the client to the NAT 
>> server, but here is the tricky part - IPA is also DNS. So if I try to bring 
>> the DNS setup over with --
>> 
>> ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca
>> 
>> It fails, because when it tries to lookup the master on the other side of 
>> the NAT FW, of course it resolves incorrectly. The first failure is 
>> conn-check, so even if I --skip-conncheck, it still fails since DNS will not 
>> resolve.
>> 
>> Suggestions?
>> 
>> -K
>> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to